McAfee’s Advanced Threat Research Team observed how a new ransomware family named ‘Buran’ appeared in May 2019. Buran works as a RaaS model like other ransomware families such as REVil, GandCrab (now defunct), Phobos, etc. The author(s) take 25% of the income earned by affiliates, instead of the 30% – 40%, numbers from notorious malware families like GandCrab, and they are willing to negotiate that rate with anyone who can guarantee an impressive level of infection with Buran. They announced in their ads that all the affiliates will have a personal arrangement with them.
For this analysis we present, we will focus on one of the Buran hashes:
We will highlight the most important observations when researching the malware and will share protection rules for the endpoint, IOCs and a YARA rule to detect this malware.
Buran Ransomware Advertisement
This ransomware was announced in a well-known Russian forum with the following message:
Buran is a stable offline cryptoclocker, with flexible functionality and support 24/7.Functional:
Reliable cryptographic algorithm using global and session keys + random file keys;Scan all local drives and all available network paths;High speed: a separate stream works for each disk and network path;Skipping Windows system directories and browser directories;Decryptor generation based on an encrypted file;Correct work on all OSs from Windows XP, Server 2003 to the latest;The locker has no dependencies, does not use third-party libraries, only mathematics and vinapi;
The completion of some processes to free open files (optional, negotiated);The ability to encrypt files without changing extensions (optional);Removing recovery points + cleaning logs on a dedicated server (optional);Standard options: tapping, startup, self-deletion (optional);Installed protection against launch in the CIS segment.
Conditions:
They are nego ..
Support the originator by clicking the read the rest link below.
